3 May
2012
3 May
'12
6:16 p.m.
On May 3, 2012, at 4:37 PM, Thomas Mortagne wrote:
On Thu, May 3, 2012 at 4:13 PM, Vincent Massol
<vincent(a)massol.net> wrote:
It's worse since multiwiki can be used in a farm which each wiki belonging to a
different company for example (possibly competitors) and they shouldn't see each
other's documents.
Thanks
-Vincent
On Apr 23, 2012, at 11:10 AM, Thomas Mortagne wrote:
Probably but that's another subject. You have the same issue in the
current wiki so it does not really have anything to do with multiwiki. Hi devs,
When Query Manager as been introduced by Artem I suggested to add a
setWiki to make easier to execute request on another wiki. For me it
was supposed to be usable by anyone and I discovered recently that it
was allowed only when the user has programming right.
Since I really don't see the point I propose to remove this check.
* all the users without programming right can do is to list documents
names so it's not very dangerous
* api;XWiki#searchDocumentsNames(String wikiName,
String
parameterizedWhereClause, int maxResults, int startOffset, List< ? >
parameterValues) does not have any check so what the query manager
prevent is doable anyway
Yes and that's not very good. I'm pretty sure I've seen some JIRA issues
opened to prevent this.
So while I'm ok to have consistent APIs we also need to think how to fix this in the
future. We would need an extra fast way to check if a user is allowed to view a given
document name. And then if not, return a special ForbiddenDocument document so that we
always return the number of items asked by execute().